Traditional on-premises IT has evolved into a hybrid model that now includes both public and private clouds in the ecosystem. Adding to the cloud dimension presents new security risks that make it even more important to adopt a cohesive and holistic security policy.
This is the first in a two-part blog on the security risks involved in cloud computing. Thoroughly understanding and mitigating these risks is fundamental to realizing the full benefits of the cloud. This first post focuses on the different types of security risks. The second will discuss the solutions and expertise required to ensure cloud security.
Cloud-based security risks can be grouped into one of four categories:
1. Cloud services (infrastructure, applications, hosted code)
This category encompasses the cloud services themselves and any application or middleware that has been deployed. Security concerns around software or middleware vulnerabilities, viruses and external threats fall into this category. The concerns here are further intensified, given that public cloud services typically exist within multi-tenant environments where cloud services for multiple clients are logically isolated but served from the same physical servers and data centers.
Data-specific concerns are particularly prevalent within public cloud or private cloud environments. These concerns include data integrity, data lock-in, data remanence and provenance, data confidentiality and user privacy.
There also are concerns around data sovereignty—the concept that data is subject to the laws of the country in which it is located. Depending on the specific countries in which an organization operates, there may be a need to keep certain types of data within a defined geographic boundary, likely resulting in geographical restrictions on the cloud services that can be used.
Further, the impact of the U.S. Patriot Act must be considered as it affects U.S.-based corporations as well as their wholly-owned subsidiaries based within and outside of the European Union.
This category comprises concerns around cloud access—authentication, authorization and access control or AAA—as well as encrypted data communication and user identity management. Secure, definitive and efficient on-boarding and off-boarding become more challenging as organizations adopt cloud services from multiple service providers.
Due to the size and disruptive influence of cloud computing, it is attracting attention from regulatory agencies, especially with respect to issues related to security audits and data location, as well as operation trace-ability and compliance. Challenges exist in determining whether cloud service providers are compliant with applicable regulations, which might exist outside of the cloud service provider’s own legal jurisdiction.
Identifying and understanding these risks is the first step to addressing them. A cloud security expert is a vital resource to ensure an organization has a thorough picture of these risks and a roadmap for mitigating them. CGI's managed cloud security and advisory services help clients across many industries improve their hybrid IT and cloud security postures more effectively and at lower cost than doing it themselves.
In my next blog post, I will discuss the solutions and expertise required to ensure cloud security. In the meantime, feel free to contact me with any questions on this important topic.
About this author
You make some very valid points. Cloud certainly doesn't change the background certification and compliance requirements for customers and it's beholden on cloud service providers to support customers in their environments to continue to meet those thresholds and not introduce unnecessary complexity and costs.
Likewise the ability to control and command infrastructure via a virtualised login based system introduces it's own risks. The ability to delete large scale infrastructure is difficult in the physical world hosted in a high security data center so it's a high bar to meet with the cloud via an API or browser based interface. The cloud must achieve comparable levels of security to ensure customers have assurance regarding delivery of their computing infrastructure and data.
The good news is that a lot of progress has been made around these areas over the last five years and so, whilst customers need to be cognisant of the challenges and make sensible choices around providers, the tool-set does exist to meet requirements and the relevant key performance characteristics of core traditional infrastructure deployments. The debate then moves to one of commercial imperative; what makes sense to deliver via cloud? what makes sense to keep in-house? etc. Technical requirements should not define the debate any more.